Cryptographic method comprising secure modular exponentiation against hidden-channel attacks, cryptoprocessor for implementing the method and associated chip card

ABSTRACT

A cryptographic method carries out a modular exponentiation of the type C=A&lt;B1&gt; mod N, where A is an operand, B1 is a first exponent, N is a modulus and C is a result. The method includes the steps of masking the operand A by a number s, carrying out a modular exponentiation of the masked operand by the exponent B1, and demasking the result of the exponentiation, by removing a contribution from the random number s from the result of the exponentiation. During the step of masking the operand A, the operand A is multiplied by a parameter of the form K&lt;s.B2&gt;, where K is a constant and B2 is a second exponent such that B1.B2=1 mod N. The method is implemented preferably by using a Montgomery multiplier. The preferred choice for the constant K is K=2 p , p being an integer lying between 0 and n, n being an upper bound of the size of the modulus N and conventionally depending on the choice of implementation of the Montgomery multiplication.

The invention relates to a cryptographic method secured againsthidden-channel attacks during which, in order to carry out modularexponentiation of type C=A^(B1) mod N, where A is an operand, B1 a firstexponent, N is a modulus and C is a result, the following steps arecarried out, consisting of:

-   -   E1: masking the operand A by a number s, s being a random number        or a number resulting from a function generating a deterministic        series of numbers s, or a fixed secret number,    -   E2: carrying out a modular exponentiation of the masked operand        by the exponent B1, then    -   E3: demasking the result of the exponentiation, by removing a        contribution from the random number s from the result of the        exponentiation.

Such methods are particularly interesting for asymmetric signature andencryption applications. A can therefore be, according to theapplication, a message to sign, check, encrypt or decrypt. B1 is apublic or private key, according to the application. C is a result,according to the invention, a signed or decrypted message.

Masking the number A by a number s is a known countermeasure forsecuring modular exponentiation operations, in particular when they areimplemented in chip-card type microcircuits, against so-calledside-channel or hidden-channel attacks, allowing information to beobtained on the number B1.

A first countermeasure known from document D1 (Timing Attack onImplementations of Diffie-Hellman, RSA, DSS and Other Systems, PaulKocher, Crypto 1996, LNCS Springer) consists of obtaining a randomnumber s, calculating s^(B2), where B2 is a private or public keyassociated with B1, then multiplying s^(B2) by A (s^(B2).A), raising theresult of the multiplication to the power of B1 ((s^(B2).A)^(B1)) thenreducing modulo N. B1 and B2 being a public key and an associatedprivate key such that B1.B2=1 modulo φ(N), where φ represents the Eulerfunction, such that the result ((s^(B2).A)^(B1)) modulo N is simplifiedto give (s.A^(B1)) modulo N. A division by s finally makes it possibleto obtain the desired result, C=A^(B1) modulo N. This solution iscertainly efficient, but it is expensive to implement. Indeed, in orderfor the measure to be effective, it is essential for s^(B2) to begreater than A. This means that s must be a large number, more preciselylarger than the size of A divided by the size of B2. If B2 is small (forexample less than seventeen bits), s must be large (for example morethan the number of bits of the modulus divided by seventeen). Theproduction of large random numbers requires the use of a large generatorwhich, on the one hand, consumes a considerable amount of power and, onthe other hand, requires a considerable amount of time, which is notalways compatible with chip-card applications. In addition, a long timemight be required to carry out the division.

A second countermeasure, known mainly from document D2 (J. S. Coron, P.Paillier, “Countermeasure method in an electronic component which usesan RSA-type public key cryptographic element” patent number FR 2799851.Publication date Apr. 20, 2001. Int Pub Numb. WO0128153) consists ofusing two random numbers s1, s2 to carry out the operation (A+s1.N)^(B1)mod (s2.N). Then, at the end of the calculation, the contributionprovided by s1 and s2 is removed. Since s1 and s2 can be small in size,they are easier to obtain. However, this method requires carrying out anoperation modulo s2.N. This requires the use of a larger multiplier andis not always compatible with chip-card applications.

One aim of the invention is to provide a solution for carrying out amodular operation of type A^(B1) mod N that is more interesting thanknown solutions as it is less expensive to implement.

For this reason, the invention provides for masking the operand A bymultiplying the operand A by a parameter in the form K^(s.B2), where Kis a constant (possibly public) and B2 is a second exponent such thatB1.B2=1 mod φ(N).

For the foreseen cryptographic applications, B1 and B2 are naturallyassociated private and public keys.

During the demasking step after exponentiation, the contribution K^(s)provided by the random number s is removed.

In the invention, the random number s is, on the one hand, multiplied byB2 and, on the other hand, it placed as an exponent. Thus, the parameterK^(s.B2) is large enough to mask the operand A, even when s is small.With the invention, it is not therefore necessary to have a largerandom-number generator.

Another aim of the invention is to provide a method that is quick toimplement.

For this reason, in a preferred embodiment of the invention, the stepsof masking E1, exponentiation of E2 and demasking E3 are carried outusing a Montgomery multiplier, which has the advantage of carrying outmodular multiplications which are particularly quick to execute comparedwith conventional multipliers and very useful for exponentiation.

Preferably also, the constant K is chosen to be equal to 2^(p), p beingan integer comprised between 0 and n, n being an upper bound of the sizeof the modulus N. Upper bound of the size of the modulus N is understoodhere to be a number equal to or slightly larger than the size of n, andtypically depending on the choice of implementation of the Montgomerymultiplication and/or the hardware capabilities of the processor inwhich the multiplication is implemented. For example, if N is a 520-bitnumber, and if the processor used works with 576-bit words, n willadvantageously be chosen to be equal to 576 bits.

The choice of the constant K=2^(P) makes it possible advantageously touse the properties of the Montgomery multipliers to speed up thecalculations while guaranteeing the security of the method. The choiceof a number p=n such that K=2^(n) is optimum as will be seen below.

The invention also relates to a cryptoprocessor comprising in particulara Montgomery multiplier for implementing a method such as describedabove.

The invention finally relates to a chip card comprising acryptoprocessor such as described above.

The invention will be better understood and further characteristics andadvantages of the invention will appear clearly from the descriptionprovided below, by way of non-limiting example, of the preferredembodiment of the invention.

As mentioned above, the invention relates to a secured cryptographicmethod during which, in order to carry out modular exponentiation oftype C=A^(B1) mod N, where A is an operand, B1 a first exponent, N is amodulus and C is a result, the following steps are carried out,consisting of:

-   -   E1: masking the operand A by a random number s,    -   E2: carrying out a modular exponentiation of the masked operand        by the exponent B1, then    -   E3: demasking the result of the exponentiation, by removing a        contribution from the random number s from the result of the        exponentiation.

According to the invention, during step E1 of masking the operand A, theoperand A is multiplied by a parameter in form K^(s.B2), where K is aconstant and B2 is a second exponent such that B1.B2=1 mod φ(N). In thisway, a masked operant is obtained, A′=K^(s.B2).A. The exponentiation ofA′ (step E2) by B1 produces the masked result C′=K^(s).A^(B1) mod N.Finally, during step E3, the contribution K^(s) provided by the randomnumber s is removed to obtain the desired result C.

The invention is preferably implemented using a Montgomery multiplier.

Before providing a more complete description of the method of theinvention, it is convenient to remember certain known properties of aMontgomery multiplier, described for example in document D3 (P. L.Montgomery, Modular Multiplication without trial division, Mathematicsof computation, 44(170) pp 519-521, April 1985).

A Montgomery multiplier makes it possible to carry out multiplicationsof type Mgt(A,B,N)=A.B.R⁻¹ mod N. One advantage of this multiplier isits calculation speed. One disadvantage of this multiplier is that itintroduces a constant R, called Montgomery constant, to the calculation.R is a power of 2 coprime with N: R=2 with n such that GCD(R, N)=1.

The Montgomery constant is intrinsic in the multiplier and it isnecessary to remove its contribution in the early stages of thecalculation, during the calculation or at the end. Thus, to calculateC=A.B mod N, it is possible for example first to calculate A.R thenMgt(A.R,B,N)=A.B mod N. It is also possible to carry out a firstmultiplication C₀=Mgt(A.R, B.R, N)=A.B.R mod N followed by a secondmultiplication of type C=Mgt(1, C₀, N)=A.B mod N.

The Montgomery multiplier also makes it possible to carry out modularexponentiations of type C=MgtExp(A,B,N)=AB.R^(−(B−1)) mod N orC=MgtExp(A.R,B,N)=A^(B).R mod N (in this case the constant R^(−B)introduced by the calculation is compensated by multiplying A by R inthe early stages of the calculation). Concretely, to carry out aMontgomery exponentiation, an algorithm such as that commonly referredto as “square and multiply” is executed, consisting, in a loop indexedby i varying between q−1 and 0, q being the size of the number B, of asuccession of multiplications of type U_(i)=Mgt(U_(i-1), U_(i-1), N) andpossibly Mgt(U_(i), A, N) (or Mgt(U_(i), A.R, N)), according to thevalue of a bit B_(i) of B associated with the index i, U_(i) being aloop variable initialised at the value U_(q)=R. This exponentiation isexplained in greater detail in document D4 (Handbook of AppliedCryptography by A. Menezes, P. Van Oorschot and S. Vanstone, CRC Press1996, chapter 14, algorithm 14.94). This exponentiation calculation hasthe advantage of being particularly quick.

Montgomery operations have the following main characteristics, whichwill be used subsequently:Mgt(A,B,N)=A.B.R ⁻¹ mod NMgt(A.R,B.R,N)=A.B.R mod NMgt(1,1,N)=Mgt(N−1,N−1,N)=R ⁻¹ mod NMgt(A,1,N)=Mgt(N−A,N−1,N)=A.R ⁻¹ mod NMgtExp(A.R,B,N)=A ^(B) .R mod N

In the preferred embodiment of the method of the invention, Montgomerymultiplications and exponentiations are used to speed up the calculationof exponentiation masked by the random number K^(s.B2).

Initially, during step E1 of masking the operand A, the followingsubsteps are carried out, which consist of:

-   -   E11: carrying out a first Montgomery exponentiation of the        constant K by the result of multiplying the random number s by        the second exponent B2; the mask K^(s.B2) mod N is obtained in        this way, then    -   E12: carrying out a Montgomery multiplication of the result of        the first Montgomery exponentiation (=the mask K^(s.B2)) by the        operand A to produce a masked operand A′ (A′=K^(s.B2).A mod N).

Then, during the step of exponentiation of the masked operand A′, thefollowing substep is carried out:

-   -   E212: carrying out a second Montgomery exponentiation of the        masked operand A′ by the first exponent B1 to produce a masked        result C′.

Finally, during step E3 of demasking the masked result, the followingsubsteps are carried out:

-   -   E31: carrying out a third Montgomery exponentiation to calculate        the parameter K^(−s),    -   E32: carrying out a Montgomery multiplication of the masked        result C′ by K^(−s).

As mentioned previously, Montgomery multiplications and exponentiationsintroduce a contribution in the result which depends on the Montgomeryconstant R. This constant can be eliminated at the end of eachmultiplication, for example by carrying out a Montgomery multiplicationby R² after a calculation. When this is possible, and in particular forthe exponentiations, it is easier to compensate the constant R in anearlier stage, by multiplying the operand by the constant R, rather thancompensating a power of R (especially a negative power of R) at the end.

Likewise, a correct choice of the constant K makes it possible furtherto increase the speed of the calculation, in particular in step E31 ofthe calculation of K^(−s). More precisely, choosing a constant K=2^(p)(p being comprised between 0 and n) with the same form as the Montgomeryconstant R=2^(n), makes it possible to simplify the calculations. Thefollowing appears in particular:

 Mgt(1, 1, N) = Mgt(N − 1, N − 1, N)          = R⁻¹mod NMgt(A, 1, N) = Mgt(N − A, N − 1, N)          = A ⋅ R⁻¹mod NMgt(2^(p), 1, N) = Mgt(N − 1, N − 1, N)          = 2^(p) ⋅ 2^(−n)mod N          = (2^(n − p))⁻¹mod NMgt(2^(n − p), 1, N) = Mgt(N − 2^(n − p), N − 1, N)            = 2^(n − p) ⋅ 2^(−n)mod N            = (2^(p))⁻¹mod N,  with  2^(n − p) = R/K

The calculation of the inverse of K and then K^(−s) is thus facilitated.

After various simplifications following the choice of K=2^(p), a methodis finally obtained comprising all the following steps.

E0: initialisation:

-   -   E011: choosing an integer j and calculating the constant        K=R/2^(j), (as R=2^(n), K=2^(p) with p=n−j)    -   E012: choosing a random number s and multiplying it by B2 to        obtain s1,    -   E013: calculating R²,

E1: masking A as A′

-   -   E11: calculating the mask K^(s1)        -   E111: calculating T1=Mgt(K,R²,N)=K*R mod N; this step makes            it possible to compensate upstream the contribution of R in            the following exponentiation        -   E112: calculating U1=MgtExp(T1,s1,N)=K^(s1)*R mod N    -   E12: masking A as A′        -   E121: calculating M1=Mgt(U1,A,N)=K^(s1).A mod N

E2: calculating C′=A′^(B1) mod N

-   -   E211: calculating M2=Mgt(M1,R²,N)=K^(s1).A.R mod N; this step        makes it possible to compensate upstream the contribution of R        in the following exponentiation    -   E212: calculating U2=MgtExp(M1,B1,N)=A^(B1).K^(s).R mod N

E3: finding C based on C′

-   -   E31: calculating K^(−s)        -   E311: calculating I1=Mgt(2^(j),1,N)=K⁻¹ mod N        -   E312: calculating I2=Mgt(I1,R²,N)=K⁻¹.R mod N        -   E313: calculating V=MgtExp(I2,s,N)=K^(−s).R mod N    -   E32: calculating C=C′.K^(−s)        -   E321: calculating U3=Mgt(U2,V,N)=A^(B1).R mod N        -   E322: calculating U4=Mgt(U3,1,N)=A^(B1) mod N

It should be noted that, when implementing the above method in acryptoprocessor, the same register or part of the memory can be used tostore intermediate variables, with names containing the same letter: M1,M2 can be stored in succession in a register M, the same goes forvariables I1, I2, which can be stored in the same register I, andvariables U1, U2, U3, U4 can be stored in the same register U.

The particular choice of K=2^(n) makes it possible further to speed upthe calculation since the fact that K=R allows further simplifications.

After simplification, the following method is obtained:

E0: initialisation:

-   -   E012: choosing the random number s and calculating s1=s.B2+1.    -   E013: calculating R²,

E1: masking A as A′

-   -   E11: calculating the mask R^(s1)        -   E112: calculating U1=MgtExp(R²,s1,N)=R^(s1)*R mod N    -   E12: masking A as A′        -   E121: calculating M1=Mgt(U1,A,N)=R^(s1)*A mod N=R^(s.B2).A.R            mod N

E2: calculating C′=A′^(B1) mod N

-   -   E212: calculating U2=Mgt(M1,B1,N)=A^(B1).R^(s).R mod N

E3: finding C based on C′

-   -   E31: calculating R^(−(s+1))        -   E313: calculating V=MgtExp(1,s+1,N)=R^(−(s+1)).R mod N    -   E32: calculating C=C′.K^(−(s+1))        -   E321: calculating U3=Mgt(U2,V,N)=A^(B1) mod N

Compared with the general case where K=2^(p), the followingsimplifications have been made:

-   -   K being equal to R, step E011 becomes needless,    -   step E111 also becomes needless since R2 is already calculated        during step E013,    -   by calculating s1=s.B2+1 (instead of s1=s.B2) during step E012,        step E211 becomes needless,    -   R⁻¹ is calculated immediately, rendering steps E311 and E312        needless    -   by choosing s=s+1 in step E31 it is possible to skip step E222.

Evidently, in the method described above, certain steps can be moved orswitched around. For example, in the initialisation step E0, thesubsteps can be carried out in a different order.

As was seen above, the invention can advantageously be implemented tocarry out the exponentiation C=A^(B1) mod N in the following threesteps:

-   -   E1: A′=A.K^(s.B2) (masking of A)    -   E2: C′=A′^(B1) mod N (exponentiation)    -   E3: C=C′*K^(−s) (demasking)

The invention can also be advantageously combined with the ChineseRemainder Theorem to speed up the exponentiation calculation. This iscommonly referred to as RSA-CRT.

According to the Chinese Remainder Theorem (CRT), known from document D5(Cryptography Theory and Practice, chapter 4, Douglas R. Stinson, 1995,CRC Press), a conventional exponentiation calculation C=A^(B1) mod N canbe broken down as follows:

-   -   Cp=(A mod p) B^(p1) mod p    -   C1=(A mod 1)B^(q1) mod q    -   C=Cq+q*(Iq*(Cp−Cq)mod p)mod N

where

-   -   p and q are two prime integers such that p*q=N,    -   Bp1=B1 mod(p−1)    -   Bq1=B1 mod(q−1)    -   Iq=q⁻¹ mod p

Applied to this CRT breakdown, the invention leads to the followingmethod:

-   -   E1: masking the operand A (A′=K^(u.B2)*A) by a number u equal to        twice the number s, multiplying the operand A by a parameter        k^(u.B2),    -   E2: calculating C′ using the Chinese Remainder Theorem        (exponentiation):

Cp^(′) = (A^(′)modp)^(B 1p)mod p; Cq^(′) = (A^(′)modq)^(B 1q)mod q;C^(′) = Cq^(′) + q * (Iq.(Cp^(′) − Cq^(′))mod p)mod N   = K^(u) * A^(B 1)modN   = K^(2s) * C^(′)mod N

-   -   E3: C=C′*K^(−2s) (demasking)

Preferably, for an easier calculation, K² is calculated first, and then(K²)^(−s).

In one variation, it is also possible to carry out the following:

-   -   E1: masking the operand A by a number u equal to twice the        number s, as follows:        Ap′=K ^(u.B2) *A mod p        Aq′=K ^(u.B2) *A mod q    -   E2: calculating C′ using the Chinese Remainder Theorem        (exponentiation):

Cp^(′) = (Ap^(′))^(B 1p)mod p; Cq^(′) = (Aq^(′))^(B 1q)mod q;C^(′) = Cq^(′) + q * (Iq.(Cp^(′) − Cq^(′))mod p)mod N   = K^(u) * A^(B 1)modN   = K^(2s) * C^(′)mod N

-   -   E3: C=C′*K^(−2s) (demasking)

In a preferred embodiment of the invention, a constantK=2^(max(size(p), size(q)))=2r is chosen, where r is the largest sizebetween the size of p and the size of q. This choice allowssimplifications when implementing the method using a Montgomeryprocessor.

It is then noted that in step E3 the value K² in (K²)^(−s) is suitablefor modular Montgomery operations on the module N knowing that the sizeof N is less than or equal to the sum of the sizes of p and q,size(N)≦size(p)+size(q)≦2*max(size(p),size(q)).

It should be noted finally that the method of the invention can becombined with previous methods to further increase the security of themethod.

For example, in addition to masking A by K^(s.B2), it is also possibleto use a random number s2 to mask N, as described in document D2 and theprior art of the present document. If the Chinese Remainder Theorem isused, it is also possible to mask p and q by s2.

1. Cryptographic method during which, in order to carry out a modularexponentiation of type C=A^(B1) mod N, where A is an operand comprisinga message on which a cryptographic operation is being performed, B1 is afirst exponent, N is a modulus, and C is a result, comprising thefollowing steps: masking, by a cryptographic device, the operand A by arandom number s, carrying out, by the cryptographic device, a modularexponentiation of the masked operand by the exponent B1, then demasking,by the cryptographic device, the result of the exponentiation, byremoving a contribution from the random number s from the result of theexponentiation, to thereby obtain a signed, encrypted or decryptedversion of said message, wherein during the step of masking the operandA, the operand A is multiplied by a parameter in the form K^(s.B2),where K is a constant and B2 is a second exponent such that B1.B2=1 modφ(N).
 2. Method according to claim 1, wherein the step of masking theoperand A comprises the following substeps: carrying out, by thecryptographic device, a first Montgomery exponentiation of the constantK by the result of multiplying the random number s by the secondexponent B2, then carrying out, by the cryptographic device, aMontgomery multiplication of the result of the first Montgomeryexponentiation by the operand A to produce a masked operand A′(A′=K^(s.B2)).
 3. Method according to claim 2, wherein theexponentiation step comprises the following substep: carrying out, bythe cryptographic device, a second Montgomery exponentiation of themasked operand A′ by the first exponent B1 to produce a masked resultC′.
 4. Method according to claim 3, wherein the step of demasking theresult of the exponentiation comprises the following substeps: carryingout, by the cryptographic device, a third Montgomery exponentiation tocalculate the parameter K^(−s), carrying out, by the cryptographicdevice, a Montgomery multiplication of the masked result C′ by K^(−s).5. Method according to claim 2, wherein the constant K is equal to2^(p), p being an integer between 0 and n, n being an upper bound of thesize of the modulus N.
 6. Method according to claim 5, wherein theconstant K is equal to 2^(n).
 7. Method according to claim 5, comprisingthe following steps and subsets: initialisation: choosing an integer jand calculating the constant K=R/2^(j), choosing a random number s andmultiplying it by B2 to obtain s1, calculating R², R being a Montgomeryconstant equal to 2^(n), masking A as A′, calculating the mask K^(s1)calculating T1=Mgt(K,R²,N)=K*R mod N calculatingU1=MgtExp(T1,s1,N)=K^(s1)*R mod N masking A as A′ calculatingM1=Mgt(U1,A,N)=K^(s1).A mod N calculating C′=A′^(B1) mod N calculatingM2=Mgt(M1,R2,N)=K^(s1).A.R mod N calculatingU2=MgtExp(M1,B1,N)=A^(B1).K^(s).R mod N finding C based on C′calculating K^(−s) calculating I1=Mgt(N−2^(j),N−1,N)=Mgt(2^(j),1,N)=K⁻¹mod N calculating I2=Mgt(I1,R²,N)=K⁻¹.R mod N calculatingV=MgtExp(I2,S,N)=K^(−s).R mod N calculating C=C′.K^(−s) calculatingU3=Mgt(U2,V,N)=A^(B1).R mod N calculating U4=Mgt(U3,1,N)=A^(B1) mod N.8. Method according to claim 6, comprising the following steps andsubsteps: initialisation choosing the random number s and calculatings1=s.B2+1 calculating R², masking A as A′ calculating the mask R^(s1)calculating U1=MgtExp(R²,S1,N)=R^(s1).R mod N masking A as A′calculating M1=Mgt(U1,A,N)=R^(s1)*A mod N=R^(s.B2).A.R mod N calculatingC′=A′^(B1) mod N calculating U2=Mgt(M1,B1,N)=A^(B1).R^(s).R mod Nfinding C based on C′ calculating R^(−(s+1)) calculatingV=MgtExp(1,s+1,N)=R^(−(s+1)).R mod N calculating C=C′.K^(−(s+1))calculating U3=Mgt(U2,V,N)=A^(B1) mod N.
 9. Method according to claim 1,wherein the steps of masking, modular exponentiation and demasking aremodified as follows: masking, by the cryptographic device, the operand A(A′=K^(u.B2)*A) by a number u equal to twice the number s, multiplyingthe operand A by a parameter K^(u.B2); carrying out, by thecryptographic device, a modular exponentiation of the operand masked bythe exponent B1, broken down according to the Chinese Remainder Theoreminto the following substeps: Cp=(A mod p) BP¹ mod p, C1=(A mod 1) B^(q1)mod q C=Cq+q*(Iq*(Cp−Cq) mod p) mod N damasking, by the cryptographicdevice, the result of the exponentiation (C′), multiplying the result ofthe exponentiation (C′) by K^(−2s) mod N, where p and q are two integerswhich multiplied give the result of N (p*q=N), Bp1 is equal to B1modulus p−1, Bq1 is equal to B1 mod q−1, Iq is equal to q⁻¹ mod p. 10.Method according to claim 9, wherein K is equal to 2r, where r is thelargest size from among the size of p and the size of q.
 11. Acryptoprocessor device comprising a Montgomery multiplier configured toimplement a method to carry out a modular exponentiation of typeC=A^(B1) mod N, where A is an operand comprising a message on which acryptographic operation is being performed, B1 is a first exponent, N isa modulus, and C is a result, comprising the following steps: maskingthe operand A by a random number s, carrying out a modularexponentiation of the masked operand by the exponent B1, then demaskingthe result of the exponentiation, by removing a contribution from therandom number s from the result of the exponentiation, to thereby obtaina signed, encrypted or decrypted version of said message, wherein duringthe step of masking the operand A, the operand A is multiplied by aparameter in the form K^(s.B2), where K is a constant and B2 is a secondexponent such that B1.B2=1 mod φ(N), wherein the step of masking theoperand A comprises the following substeps: carrying out a firstMontgomery exponentiation of the constant K by the result of multiplyingthe random number s by the second exponent B2, then carrying out aMontgomery multiplication of the result of the first Montgomeryexponentiation by the operand A to produce a masked operandA′(A′=K^(s.B2)).
 12. The cryptoprocessor device of claim 11 wherein thecryptoprocessor device is comprised within a Chip card.
 13. Methodaccording to claim 1, wherein the cryptographic device is a chip card.